php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55675 Buffer overflow error in imap_headerinfo can not be suppressed
Submitted: 2011-09-12 19:30 UTC Modified: 2015-08-29 14:03 UTC
Votes:7
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:2 (28.6%)
Same OS:2 (28.6%)
From: jeremy at thomersonfamily dot com Assigned: cmb (profile)
Status: Wont fix Package: IMAP related
PHP Version: Irrelevant OS: CentOS 5.5
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jeremy at thomersonfamily dot com
New email:
PHP Version: OS:

 

 [2011-09-12 19:30 UTC] jeremy at thomersonfamily dot com
Description:
------------
This is related to https://bugs.php.net/bug.php?id=50977

There are really two bugs here:
1 - the bug linked above - the buffer overflow when a message has too many addresses in the "To: " field (my test case had 580+)

2 - The fact that I can not suppress the error and continue script execution

Here is the error that is generated due to #1:

[Mon Sep 12 17:14:42 2011] [error] [client 10.1.XXX.XXX] PHP Fatal error:  imap_headerinfo() [<a href='function.imap-headerinfo'>function.imap-headerinfo</a>]: Address buffer overflow in /home/jrthomer/XXXXX/trunk/www/lib/imap.php on line 805, referer: https://example.com/jrthomer_qa/index.php

The imap_headerinfo call never returns.  The script is aborted.

The bigger problem is that no attempt at suppressing the error and continuing processing is working.  Typically we can catch an error like this with a try/catch if the function returns an exception.  If it does not (worst case scenario), we can suppress all errors with the "@" prefix before the function call.  In this case, neither worked.  Additionally, I tried set_error_handler with a custom error handler.  The error handler catches errors that I manually trigger using trigger_error (and the script continues processing), but it does *not* get called for the error that is pasted above.  

The script below is an example that shows all the error handling methods I have tried that are not working.



Test script:
---------------
function suppress_all_errors($errno, $errstr, $errfile, $errline) {
   print("there was an error calling imap_headerinfo {$errno}, {$errstr}, {$errfile}, {$errline}");
};

function getMessageHeaderInfo($objConn, $intUID, $blFullAttachmentDetails = false) {
   $intMessageNumber = imap_msgno($objConn, $intUID); // this works (in other words, connection and message UID are okay)

   $objHdr = false;
   try {
      set_error_handler("suppress_all_errors", E_ALL);

      // this error ends up in my error "suppress_all_errors" error handler
      trigger_error("test", E_ERROR); 

      // the following line results in an error in the logs and aborts the script
      // note that the try/catch does not work (no exception is thrown), 
      // the @ error suppressor does not work (the error is still logged and the script is aborted)
      // and the custom error handler set above does not get triggered
      $objHdr = @imap_headerinfo($objConn, $intMessageNumber); // <--- ERROR IS HERE
      restore_error_handler(); 
   } catch (Exception $e) {
      print("error getting imap_headerinfo: {$e}");
   }
}

Expected result:
----------------
Two expected results:

1 - there should not be a buffer overflow

2 - in the event of the buffer overflow, I should be able to continue script execution


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-29 14:03 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2015-08-29 14:03 UTC] cmb@php.net
Very long address lists can't be properly written to a buffer by
libc-client < 2006. ext/imap can't viably work around this
problem, so a *fatal* error is raised.

If you're still experiencing this issue, update libc-client.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jan 15 11:01:31 2025 UTC